I think I was "hacked" please help!

[mrphillyblunt]

I'm the first to admit I don't know what I'm doing in FreeNAS, but I really like having the server. I came down this morning and TeamViewer was up on my screen (I don't have TeamViewer)

Upon further investigation, someone from the UK got into my Paypal and drained my account (I got it all back)

Now I'm super worried. How could they have gotten in and what can I do to protect myself?

Please explain in layman's terms and with detail, I don't know what I'm doing. Thanks

 

[danb35]

What makes you think this has anything to do with FreeNAS?

 

[mrphillyblunt]

What makes you think this has anything to do with FreeNAS?

It's the only thing I've changed on my system...Literally created it 2 days ago, then I'm hacked? Seems to be the culprit, but I can't be sure.

 

[danb35]

Seems to be the culprit

No, I wouldn't think so. FreeNAS has nothing to do with TeamViewer or PayPal, and doesn't (by default, if you've installed it properly) provide any attack surface for an attacker to breach. OTOH, if you just put the server on the Internet, rather than behind a firewall, the odds are good that it's totally compromised.

 

[mrphillyblunt]

Well considering I don't know how to put it behind a firewall, that may be my issue. What can I do?

 

[chris crude]

Well considering I don't know how to put it behind a firewall, that may be my issue. What can I do?

Do you connect your NAS to a router or directly to your modem? Even the basic routers include SPI (stateful packet inspection) which is a basic firewall. Not enterprise quality of course, but good for the basics.

 

[mrphillyblunt]

I have it plugged into my Xfinity ARRIS router/modem

 

[mrphillyblunt]

I'm still trying to figure out just how I had teamviewer up on my sceen this morning when I don't have it installed. Someone was clearly IN my computer and that's freaking me out. I don't know what to do to prevent it.

 

[brando56894]

I have it plugged into my Xfinity ARRIS router/modem

You should be good in that case, unless you specifically defined it to be in a DMZ (outside of the firewall but behind the router). Do you have SSH setup on FreeNAS? Do you have a really weak root or sudo user password on FreeNAS?

 

[gpsguy]

Which computer was running TeamViewer?

A Windows machine? Running what OS? XP? Do you patch it every month? Are you running an antivirus program? Does it have up to date definitions?

These items won't prevent everything, but certainly provide some protection.

 

[mrphillyblunt]

Which computer was running TeamViewer?

A Windows machine? Running what OS? XP? Do you patch it every month? Are you running an antivirus program? Does it have up to date definitions?

These items won't prevent everything, but certainly provide some protection.

Windows 10...It's a new computer, so not running any antivirus, but also haven't downloaded much yet that would leave me open.

 

[Ericloewe]

No, I wouldn't think so. FreeNAS has nothing to do with TeamViewer or PayPal, and doesn't (by default, if you've installed it properly) provide any attack surface for an attacker to breach. OTOH, if you just put the server on the Internet, rather than behind a firewall, the odds are good that it's totally compromised.

Well, I could imagine someone targeting FreeNAS exposed to the internet and using that to bootstrap a LAN exploit, but that's way beyond the skills of your average script kiddie.

 

[chris crude]

Maybe this?
https://www.bleepingcomputer.com/virus-removal/remove-backdoor.teamviewer-trojan

 

[anodos]

Windows 10...It's a new computer, so not running any antivirus, but also haven't downloaded much yet that would leave me open.

If you haven't done it yet, I'd do the following:

0) disconnect the Windows computer that had teamviewer running on it from the internet
1) back up your data
2) image the current state of its its hard drive (you can use a tool like dd_rescue or clonezilla) -- this step is optional
3) reinstall / reimage Windows. In the latest version of windows 10 this is a feature baked into "Windows Defender Security Center" and called "Fresh start".

I never trust A/V to actually clean a computer. Burn it with fire.

 

[mrphillyblunt]

Maybe this?
https://www.bleepingcomputer.com/virus-removal/remove-backdoor.teamviewer-trojan

Bro! I think you may be onto something. I updated Flash the other day...I bet this is it.

 

[danb35]

Well, I could imagine someone targeting FreeNAS exposed to the internet and using that to bootstrap a LAN exploit, but that's way beyond the skills of your average script kiddie.

That's covered in the "if you installed it properly." If FreeNAS is generally exposed to the Internet, it isn't installed properly.

 

[mrphillyblunt]

Ran malwarebytes and found significant amount of issues. Is the sufficient to correcting any problems, assuming they originated from installs?

 

[SweetAndLow]

Is this real? People actually get compromised? I can see getting infected as part of a bot net but someone would never take the time to open a team viewer session and use your web browser. You have probably been compromised for moths if this is true.

Sent from my Nexus 5X using Tapatalk

 

[danb35]

Is the sufficient to correcting any problems, assuming they originated from installs?

No.

I never trust A/V to actually clean a computer. Burn it with fire.

 

[Robert Trevellyan]

I updated Flash the other day

More likely you clicked on a bogus flash update popup.

Is the sufficient to correcting any problems

Maybe. At minimum I'd run a 2nd opinion scanner such as Hitman Pro. The only way to be sure a system is clean is to completely wipe the hard drive. Even reinstalling Windows could theoretically leave a rootkit behind.